Test: Tighten Box credential phishing rule with auth check

Add SPF/DKIM authentication requirement to Box rule.
Valid change - should pass MQL Mimic tests.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: eric-sim-sublime

detection-rules/abuse_box_credential_phishing.yml

@@ -7,6 +7,7 @@ source: |
   
   // Legitimate Box sending infrastructure
   and sender.email.domain.root_domain == "box.com"
+  and (headers.auth_summary.spf.pass or headers.auth_summary.dkim.pass)
   
   // ML classification indicates credential theft with high confidence
   and (